According to a recent Forescout report, the second wave of 2023 Danish energy sector cyberattacks took advantage of unpatched firewalls using a newly “popular” CVE-2023-27881 and additional IP addresses. Evidence suggests the second wave was part of a separate mass exploitation campaign.

After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months. Researchers detected numerous IP addresses attempting to exploit the Zyxel vulnerability CVE-2023-28771, persisting as late as October 2023, across various devices, including additional Zyxel firewalls. Presently, six distinct power companies in European countries utilize Zyxel firewalls and may remain susceptible to potential exploitation by malicious actors.

This recent evidence underscores the imperative for energy firms and organizations overseeing critical infrastructure to place a greater emphasis on utilizing current threat intelligence, including information on malicious IPs and known exploited vulnerabilities. Governments are increasingly taking proactive measures by allocating funding to initiatives aimed at fortifying the security posture of critical infrastructure within the energy sector.